Hi Bosco, I was reading this link: https://community.hortonworks.com/articles/175133/how-hiveserver2-and-ranger-interact-internals.html And it was specifically mentioning the Hiveserver2, so that's why I was wondering if just the Hiveserver2 needed to run the SSSD.
As a good practice do you mean is mandatory? Thanks. On Tue, 26 Mar 2019 at 21:28, Don Bosco Durai <bo...@apache.org> wrote: > Hi Odon > > > > As a good practice, each node should have the SSSD installed and > configured. > > > > If you are doing PoC or testing out, then at least the master nodes should > have it configured. > > > > Bosco > > > > > > *From: *Odon Copon <odonco...@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Tuesday, March 26, 2019 at 2:07 AM > *To: *<user@ranger.apache.org> > *Subject: *Re: Ranger + Hive > > > > Good point. Not sure which components need to have the users and groups > from ldap. > > Just Hiveserver2? Any other Hadoop component? > > Is there any link to that information? > > > > Thanks > > > > On Tue, 26 Mar 2019, 01:30 Don Bosco Durai, <bo...@apache.org> wrote: > > If you already have LDAP, then you should install SSSD on all nodes. SSSD > will only materialize the users when requested for. > > > > I think, in your case, if you are only using Hive, then you would just > need SSSD on the server which is running HiveServer2 > > > > Depending on the users you want to set policies in Ranger, you can apply > filters during user sync. > > > > Bosco > > > > > > *From: *Odon Copon <odonco...@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Monday, March 25, 2019 at 3:33 PM > *To: *<user@ranger.apache.org> > *Subject: *Re: Ranger + Hive > > > > Hi Bosco, > > Thank you for your help and the information provided. > > > > I don't want to have all users and groups as part of the server, that's > why I'm looking for the mapping option with LDAP. > > My groups are changing rapidly and I'm not considering having something > like Ansible adding and removing users and groups from the server > constantly. > > > > Does it make sense? > > Thanks > > On Mon, 25 Mar 2019, 21:58 Don Bosco Durai, <bo...@apache.org> wrote: > > Hi Odon > > > > If you are not using Kerberos, then it is much simpler. You don’t need do > a lot… > > > > Do you even need groups or group level policies? If so, you just need to > create OS users and assign the groups you want to on the server where Hive > Server2 is running > > > > > Why do you say "LdapGroupsMapping is not recommended". It seems the only > way to ingest and use information from LDAP. > > By default, Hadoop will go to the OS and get the groups for the user. So > if you are doing SSSD (or similar technology), then it will get the groups > from LDAP for you. So you don’t need to do any configuration in the > core-site.xml. > > > > Check this article : > https://www.cloudera.com/documentation/enterprise/5-9-x/topics/cm_sg_ldap_grp_mappings.html > > > > Bosco > > > > > > > > *From: *Odon Copon <odonco...@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Monday, March 25, 2019 at 10:09 AM > *To: *<user@ranger.apache.org> > *Subject: *Re: Ranger + Hive > > > > Hi Bosco, > > Thanks for your help. > > For this test I'm not using Kerberos, I'm just testing a simple pipeline > with Hive+Ranger and some external tables in S3 and see what are the > requirements. > > From your comments, I understand I need to setup SSSD as explained in the > link you provided: > https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.2.0/bk_ambari-security/content/setting_up_hadoop_group_mappping_for_ldap_ad.html > > and having also the sync for Ranger would allow me to create policies. > > > > Why do you say "LdapGroupsMapping is not recommended". It seems the only > way to ingest and use information from LDAP. > > > > Thanks. > > > > On Mon, 25 Mar 2019 at 16:47, Don Bosco Durai <bo...@apache.org> wrote: > > There are few things: > > 1. In Kerberos/secure mode, users needs to be materialized on each > node. If you are using AD/LDAP, then you can use SSSD (or equivalent), else > you need to create the users explicitly on each node using ansible or > puppet or manually… > 2. The group mapping can be via LDAP or by groups from unix (SSSD will > also do this you). FYI, LdapGroupsMapping is not recommended due to > performance reasons. FYI, if you are using SSSD, it will get the groups > from LDAP/AD > 3. In Kerberos/secure mode, you need to materialize users on each node > regardless whether you are accessing S3 or HDFS. This is a YARN > requirement. So the that the YARN job process will run as the end user. > 4. The users and groups in Ranger are just for convenience to create > policy. Having it or not in Ranger, doesn’t affect the service. However, > you will not be able to create the policies in Ranger. During testing or > PoC, if you don’t want to sync, you can manually add to Ranger to using > Ranger Admin UI > > > > Bosco > > > > > > *From: *Odon Copon <odonco...@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Monday, March 25, 2019 at 8:36 AM > *To: *<user@ranger.apache.org> > *Subject: *Ranger + Hive > > > > Hi, > > On my last test using HDFS + Ranger I had to sync my LDAP groups with > Hadoop based on the following link: > https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/setting_up_hadoop_group_mappping_for_ldap_ad.html > > > > That means users and groups had to be in Ranger and Hadoop cluster to make > policies to work. > > But what about Hive + Ranger? > > Is that mapping also required? > > do I need users also to be mapped in Hadoop cluster? > > what if tables are in S3 instead of HDFS per example? > > > > Thanks. > >
